From ebb50476ac39b40499b25f05a596ffc2479b50f2 Mon Sep 17 00:00:00 2001 From: Jason Rasmussen Date: Mon, 9 Oct 2023 11:57:36 -0400 Subject: [PATCH] fix(server): timeline bucket access for shared links (#4404) --- server/src/domain/asset/asset.service.ts | 10 ++++++---- server/test/e2e/asset.e2e-spec.ts | 18 +++++++++++++++++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/server/src/domain/asset/asset.service.ts b/server/src/domain/asset/asset.service.ts index 87ab896fac..d809a9cb18 100644 --- a/server/src/domain/asset/asset.service.ts +++ b/server/src/domain/asset/asset.service.ts @@ -177,13 +177,15 @@ export class AssetService { private async timeBucketChecks(authUser: AuthUserDto, dto: TimeBucketDto) { if (dto.albumId) { await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]); - } else if (dto.userId) { + } else { + dto.userId = dto.userId || authUser.id; + } + + if (dto.userId) { + await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]); if (dto.isArchived !== false) { await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]); } - await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]); - } else { - dto.userId = authUser.id; } } diff --git a/server/test/e2e/asset.e2e-spec.ts b/server/test/e2e/asset.e2e-spec.ts index fc057934a9..4f4021d59e 100644 --- a/server/test/e2e/asset.e2e-spec.ts +++ b/server/test/e2e/asset.e2e-spec.ts @@ -4,10 +4,11 @@ import { IPersonRepository, LibraryResponseDto, LoginResponseDto, + SharedLinkResponseDto, TimeBucketSize, } from '@app/domain'; import { AssetController } from '@app/immich'; -import { AssetEntity, AssetType } from '@app/infra/entities'; +import { AssetEntity, AssetType, SharedLinkType } from '@app/infra/entities'; import { INestApplication } from '@nestjs/common'; import { api } from '@test/api'; import { errorStub, uuidStub } from '@test/fixtures'; @@ -76,6 +77,7 @@ describe(`${AssetController.name} (e2e)`, () => { let server: any; let assetRepository: IAssetRepository; let defaultLibrary: LibraryResponseDto; + let sharedLink: SharedLinkResponseDto; let user1: LoginResponseDto; let user2: LoginResponseDto; let asset1: AssetEntity; @@ -114,6 +116,11 @@ describe(`${AssetController.name} (e2e)`, () => { createAsset(assetRepository, user1, defaultLibrary.id, new Date('1970-02-01')), createAsset(assetRepository, user2, defaultLibrary.id, new Date('1970-01-01')), ]); + + sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, { + type: SharedLinkType.INDIVIDUAL, + assetIds: [asset1.id, asset2.id], + }); }); afterAll(async () => { @@ -507,6 +514,15 @@ describe(`${AssetController.name} (e2e)`, () => { ); }); + it('should not allow access for unrelated shared links', async () => { + const { status, body } = await request(server) + .get('/asset/time-buckets') + .query({ key: sharedLink.key, size: TimeBucketSize.MONTH }); + + expect(status).toBe(400); + expect(body).toEqual(errorStub.noPermission); + }); + it('should get time buckets by day', async () => { const { status, body } = await request(server) .get('/asset/time-buckets')